使用python paho.mqt通过ssl从docker容器发送数据

我有一个带有

paho.mqt

客户端的docker python脚本

import json
import ssl

import paho.mqtt.client as mqtt

# connection parameters
broker = "111.11.111.111"
port = 5000
topic = "v1/devices/me/telemetry"
device_token = "111"

# message creation
msg = dict()
msg["greeting"] = "Hello World"
msg_out = json.dumps(msg)

# create mqtt client
client = mqtt.Client()

# access token
client.username_pw_set(device_token)

# one-way-SSL
client.tls_set(ca_certs="../settings/test-server.pub.pem", certfile=None, keyfile=None, cert_reqs=ssl.CERT_REQUIRED,
               tls_version=ssl.PROTOCOL_TLSv1, ciphers=None)

# two-way-SSL
# client.tls_set(ca_certs="tb-test-server.pub.pem",certfile="mqttclient.nopass.pem",keyfile=None,cert_reqs=ssl.CERT_REQUIRED,tls_version=ssl.PROTOCOL_TLSv1,ciphers=None)

# connect, send message and disconnect
client.connect(broker, port, 60)
client.publish(topic, msg_out, 1)
client.disconnect()

当我在主机上启动脚本时，一切正常。但如果在docker容器中启动脚本，则会出现错误：

SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '111.11.111.111'.

客户端证书“test server.pub.pem”：

---

我使用Thingsboard作为MQTT Broaker。thingsboard配置。我创建了上面描述的证书。 如上所述，脚本在Docker容器的主机上工作，但不在Docker容器内工作。

IP地址不匹配

您有一个IP地址位于

CN

字段中的证书（由于您的问题严重混淆，我不会重复此问题），并且您正在连接到另一个IP地址。因此，TLS库会因为不匹配而拒绝连接

您可能需要重新颁发具有正确IP地址的证书。 因为它是一个自签名证书，所以创建一个新证书应该没有问题

---

然而，像这样使用IP地址不是一个好主意。您应该改为使用主机名，以便在连接时在证书和客户端代码中都使用主机名。当然，您需要以同样的方式确保没有不匹配。

您需要添加更多的细节，特别是关于您如何创建正在使用的证书以及如何配置代理的详细信息。我使用Thingsboard作为MQTT Broaker。我创建了上面描述的证书。我认为这个问题是由docker的网络造成的，因为脚本在docker容器外工作正常

openssl x509-在../settings/test-server.pub.pem-text

中，这样我们就可以看到证书CN被配置为什么请不要在您的混淆中使用

111.11.111.111

，谢谢。如果您确实需要这样做（值得怀疑），请查看RFC5737中专门为文档和示例保留的IP块。感谢您的回答，但不幸的是，这并不能解决问题。如上所述，脚本在Docker容器的主机上工作，但不在Docker容器内工作。我用的是同一张证书，所以不应该是这张。即使在使用主机名时，问题仍然存在。我确信，如果您使用带有主机名的证书，则不会将“IP不匹配错误”作为认证失败。因此，如果您有其他数据和调试步骤，请随时将它们添加到您的问题中，以便其他人帮助您。

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 737991734 (0x2bfcdc36)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=B, L=B, O=IAV, OU=Digital-Lab, CN=194.31.198.168
        Validity
            Not Before: Aug 29 09:53:53 2018 GMT
            Not After : Jan 13 09:53:53 2046 GMT
        Subject: C=DE, ST=B, L=B, O=IAV, OU=Digital-Lab, CN=194.31.198.168
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e0:ea:37:1e:19:69:b8:f1:7a:e0:28:af:d6:ff:
                    57:12:6c:ff:ac:2c:11:68:a4:38:3c:f2:89:bc:64:
                    2f:78:c4:5c:b0:14:55:d2:c4:8e:84:55:c0:58:80:
                    75:b9:fb:02:42:6f:8a:dd:47:2f:80:5a:b2:35:be:
                    cc:c7:4b:15:ed:35:f9:10:36:3b:2e:68:28:89:2c:
                    04:6e:ac:10:6d:b4:5a:80:a0:5b:da:53:14:3b:ff:
                    04:a8:bc:45:48:9e:11:b7:b6:62:94:ad:67:8e:82:
                    2e:42:b5:03:6c:30:eb:1d:72:d3:05:83:30:ae:ce:
                    e0:8b:98:13:04:5c:49:fe:73:76:ee:7e:fa:33:49:
                    32:d8:51:9b:15:17:cb:46:1c:2c:a8:00:d0:4b:06:
                    df:4d:16:9f:dc:83:3b:1b:bd:7f:86:35:68:b6:f1:
                    12:82:d7:50:a1:9d:d9:db:8b:60:c0:ed:68:85:31:
                    51:57:a5:13:62:ec:bb:22:a1:a0:4f:c2:45:31:de:
                    8d:ad:e1:3e:81:fa:62:0a:04:e8:94:ac:eb:80:af:
                    dc:c8:00:67:94:25:c5:a6:81:a4:82:bc:da:cf:f5:
                    ad:5b:36:6d:62:70:73:d0:30:84:04:60:dd:25:10:
                    92:65:aa:29:3a:6a:e1:1d:40:6c:45:c3:5f:77:ad:
                    31:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F7:F6:DC:83:8F:9E:E1:2F:68:B5:4A:95:5C:E0:9B:03:B2:0B:A6:3C
    Signature Algorithm: sha256WithRSAEncryption
         dc:e1:1e:84:03:ee:8e:17:63:9f:73:0a:0d:ac:55:26:61:c5:
         62:75:32:00:69:ba:96:21:fc:c3:3c:d8:23:31:a4:6c:3e:63:
         57:50:38:55:7a:52:ef:3f:7c:97:94:9c:d3:5b:29:41:c4:d4:
         5c:2e:49:b4:7c:c3:f1:69:57:87:fd:57:b5:52:13:62:a4:d4:
         88:78:da:b6:f8:d1:4d:6f:4f:87:68:75:8e:20:6b:21:db:8e:
         21:f2:c7:23:f0:02:d4:bc:65:ea:75:ec:7f:a7:3a:2a:d1:02:
         8e:5b:26:aa:fc:7e:3c:3e:79:95:36:72:48:e1:36:27:09:42:
         f4:05:ce:e0:56:93:ac:c1:5b:ce:64:23:25:9d:d1:c7:82:08:
         cb:a7:99:9e:e6:88:ab:71:f0:3d:54:37:5b:a2:fa:41:d8:9b:
         af:37:85:a8:9c:9c:0a:9b:87:f5:b2:49:51:bb:86:9a:af:ce:
         e1:52:83:00:25:50:02:d5:c6:4a:e0:20:e7:33:1f:3f:5a:5c:
         8d:ba:11:a8:02:94:17:41:0d:e0:98:11:5f:93:52:7c:bb:2c:
         d8:0b:61:bf:ea:bd:f7:b0:b1:c0:99:68:cb:47:4b:79:01:81:
         36:5c:dc:43:92:78:58:40:c1:e4:56:46:20:26:07:19:b4:b4:
         d8:5a:16:00
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIEK/zcNjANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJE
RTEKMAgGA1UECBMBQjEKMAgGA1UEBxMBQjEMMAoGA1UEChMDSUFWMRQwEgYDVQQL
EwtEaWdpdGFsLUxhYjEXMBUGA1UEAxMOMTk0LjMxLjE5OC4xNjgwHhcNMTgwODI5
MDk1MzUzWhcNNDYwMTEzMDk1MzUzWjBiMQswCQYDVQQGEwJERTEKMAgGA1UECBMB
QjEKMAgGA1UEBxMBQjEMMAoGA1UEChMDSUFWMRQwEgYDVQQLEwtEaWdpdGFsLUxh
YjEXMBUGA1UEAxMOMTk0LjMxLjE5OC4xNjgwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDg6jceGWm48XrgKK/W/1cSbP+sLBFopDg88om8ZC94xFywFFXS
xI6EVcBYgHW5+wJCb4rdRy+AWrI1vszHSxXtNfkQNjsuaCiJLARurBBttFqAoFva
UxQ7/wSovEVInhG3tmKUrWeOgi5CtQNsMOsdctMFgzCuzuCLmBMEXEn+c3bufvoz
STLYUZsVF8tGHCyoANBLBt9NFp/cgzsbvX+GNWi28RKC11Chndnbi2DA7WiFMVFX
pRNi7LsioaBPwkUx3o2t4T6B+mIKBOiUrOuAr9zIAGeUJcWmgaSCvNrP9a1bNm1i
cHPQMIQEYN0lEJJlqik6auEdQGxFw193rTGlAgMBAAGjITAfMB0GA1UdDgQWBBT3
9tyDj57hL2i1SpVc4JsDsgumPDANBgkqhkiG9w0BAQsFAAOCAQEA3OEehAPujhdj
n3MKDaxVJmHFYnUyAGm6liH8wzzYIzGkbD5jV1A4VXpS7z98l5Sc01spQcTUXC5J
tHzD8WlXh/1XtVITYqTUiHjatvjRTW9Ph2h1jiBrIduOIfLHI/AC1Lxl6nXsf6c6
KtECjlsmqvx+PD55lTZySOE2JwlC9AXO4FaTrMFbzmQjJZ3Rx4IIy6eZnuaIq3Hw
PVQ3W6L6QdibrzeFqJycCpuH9bJJUbuGmq/O4VKDACVQAtXGSuAg5zMfP1pcjboR
qAKUF0EN4JgRX5NSfLss2Athv+q997CxwJloy0dLeQGBNlzcQ5J4WEDB5FZGICYH
GbS02FoWAA==
-----END CERTIFICATE-----